LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-23-2010, 06:30 PM   #1
wvroger
LQ Newbie
 
Registered: May 2010
Posts: 1

Rep: Reputation: 0
Fail2ban regex help please


I'm trying to get a working regex for Kerio Mailserver the security logs have the following

[23/May/2010 02:20:40] Failed POP3 login from 69.50.222.6, user diana@commgtonline.com.
[23/May/2010 02:20:42] Failed POP3 login from 69.50.222.6, user fred@commgtonline.com.
[23/May/2010 02:20:43] Failed POP3 login from 69.50.222.6, user matt@commgtonline.com.

i have searched the web (google) and can't find anything for kerio. ive tried the following without success.
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 510 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}?(?P<host>\S+)
# Values: TEXT
#
#timeregex = \S{3}[ ]{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
#timepattern = %%d/%%m/%%Y %%H:%%M:%%S

failregex = \[Failed POP3 login from\].*from <HOST>


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =


Any help would be greatly appreciated.

Thanks

roger at emailstore.us
 
Old 05-23-2010, 07:30 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
That's odd because if I google://fail2ban +kerio then this (failregex = .* Failed (POP3|IMAP) login from <HOST>.*$) and that (failregex = POP3: Invalid password for user * Attempt from IP address \[.*:<HOST>\]) are the only two entries above this thread. Since you commented out your time regex maybe try "failregex = ^.*Failed POP3 login from <HOST>,.*$" (bit greedy) and if this doesn't work please don't say "it doesn't work" but use 'fail2ban-regex' to test.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I need help with fail2ban... trist007 Linux - Newbie 15 12-14-2009 03:22 AM
Fail2ban and Slack Biggen Slackware 10 06-20-2009 08:30 AM
Fail2ban and Dovecot Regex kevinslair Linux - Software 3 05-31-2009 08:19 PM
Need help with fail2ban regex jakev383 Linux - Security 6 12-07-2008 09:35 AM
regex with sed to process file, need help on regex dwynter Linux - Newbie 5 08-31-2007 05:10 AM


All times are GMT -5. The time now is 01:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration